Trojan.KillProc2.25161

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\f07qtt [free] .avi.exe
%ProgramFiles%\dvd maker\shared\mnho9y54 uncut cock 50+ .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\wep6b08 wep6b08 vjq39c1gwy ol6p1tua .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\bd1l5ir [free] ash .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\eq7k2xcxt lpcu5ai3 porn 7vepaqjm young (sarah,sonja).zip.exe
%ProgramFiles%\microsoft office\templates\s2fkave 7nd83wovj 7nd83wovj uncut legs qq6w54yfhtqrbwcslg .avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\4h1e2a346 porn 7nd83wovj big legs .mpg.exe
%ProgramFiles%\windows journal\templates\asian yzw1afy [bangbus] legs mg9fvb2xk9 .mpg.exe
%ProgramFiles%\windows sidebar\shared gadgets\black 8ok6yf uncut hole young (sonja).mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\w6csjja14n1 [bangbus] lady .zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\wep6b08 8ok6yf 7vepaqjm .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\8r3baiec horse nom72kl nom72kl feet .zip.exe
%CommonProgramFiles(x86)%\microsoft shared\eq7k2xcxt 7nd83wovj bq4kno ash .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\7b6fhxi mnho9y54 horse l9hwcs7vvnphd9 cock .avi.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\gay 8ok6yf ihthd33 (g6u8n4r).avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\horse l9hwcs7vvnphd9 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\ ddqayq girls kfp2yqq mg9fvb2xk9 .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\h93bklf [bangbus] titts sweet .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\4h1e2a346 horse bd1l5ir [milf] (rdl1tfkz).zip.exe
%ALLUSERSPROFILE%\templates\gzn4ud7e yzw1afy [bangbus] (2hbt8wr,sarah).mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\wpjwijv bd1l5ir 7vepaqjm hole rv0y8n (dxocjwba,c4w8hqa).mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\upfgetx tsomq34 7nd83wovj [free] (sandy,36mho73).zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\h93bklf nude [milf] lady .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\7nd83wovj cum sgu4m7oc girly .avi.exe
%ALLUSERSPROFILE%\templates\fac71w2 nude l9hwcs7vvnphd9 hole shoes (jade,jenna).mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\yzw1afy bd1l5ir 7vepaqjm feet .mpeg.exe
C:\users\default\appdata\local\temp\ddqayq tsomq34 ihthd33 glans .mpg.exe
C:\users\default\appdata\local\<INETFILES>\7b6fhxi sperm hot (!) wifey (c4w8hqa).mpg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\w6csjja14n1 uncut .rar.exe
C:\users\default\templates\asian 8ok6yf [bangbus] jxqgtp shoes .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\wpjwijv yzw1afy vjq39c1gwy .mpg.exe
%TEMP%\7nd83wovj beast hot (!) .mpg.exe
%LOCALAPPDATA%\<INETFILES>\4h1e2a346 h93bklf xakmpl sgu4m7oc eigt45 .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\mzwpstr8n lpcu5ai3 7vepaqjm legs .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\f1i7cm 8ok6yf ihthd33 6tl9zg0uqa .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\fac71w2 mnho9y54 uncut sm .mpeg.exe
%APPDATA%\microsoft\templates\w6csjja14n1 7nd83wovj uncut legs (sandy,36mho73).zip.exe
%APPDATA%\microsoft\windows\templates\ddqayq [bangbus] cock eigt45 .avi.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\7b6fhxi beast 7vepaqjm glans qq6w54yfhtqrbwcslg .mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\black wep6b08 [free] ash lzxyhb7k (c4w8hqa,haj1oyikd).rar.exe
%HOMEPATH%\templates\porn nude big legs 8bgkvshe1 .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\0287zh lpcu5ai3 apv53deiq9fw (sarah,dehod0).rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\bd1l5ir 7vepaqjm sm .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\bd1l5ir ihthd33 .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\8ok6yf apv53deiq9fw ash (y8oxsqa,2hbt8wr).rar.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\asian yzw1afy apv53deiq9fw gsva2xn .zip.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\ddqayq xxx [milf] .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\upfgetx ddqayq nom72kl big wifey .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\xakmpl 8ok6yf l9hwcs7vvnphd9 glans sgoibhh .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\fac71w2 bd1l5ir yzw1afy [bangbus] gsva2xn (dxocjwba,haj1oyikd).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\beast 8ok6yf big latex .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\horse 7nd83wovj nom72kl .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\horse w6csjja14n1 l9hwcs7vvnphd9 glans sm .avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\fac71w2 lpcu5ai3 wep6b08 7vepaqjm lady (liz,jenna).rar.exe
%WINDIR%\assembly\temp\h93bklf mzwpstr8n nom72kl .rar.exe
%WINDIR%\assembly\tmp\8r3baiec 8ok6yf vjq39c1gwy .zip.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\nom72kl epyxwn (dehod0,liz).avi.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\z9z7rwe tsomq34 girls boots .mpeg.exe
%WINDIR%\pla\templates\yzw1afy apv53deiq9fw kfp2yqq .mpg.exe
%WINDIR%\security\templates\tsomq34 beast sgu4m7oc .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\7nd83wovj ihthd33 zn3tvn (jade,rdl1tfkz).rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\xxx sperm ihthd33 .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\s2fkave sperm epyxwn jxqgtp .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\lpcu5ai3 ihthd33 (jade).mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\mzwpstr8n epyxwn .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\z1qxwcd tsomq34 [milf] girly .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\8ok6yf beast bq4kno fishy .avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\ 8ok6yf uncut legs sgoibhh (y8oxsqa).zip.exe
%WINDIR%\syswow64\fxstmp\viaz50 porn hot (!) sgoibhh .avi.exe
%WINDIR%\syswow64\ime\shared\w6csjja14n1 xxx [bangbus] (g6u8n4r,gina).rar.exe
%WINDIR%\syswow64\config\systemprofile\s2fkave h93bklf ddqayq big nmibe2 (sonja).avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\s2fkave mzwpstr8n nom72kl rv0y8n .zip.exe
%WINDIR%\syswow64\fxstmp\7b6fhxi nom72kl [milf] 40+ .zip.exe
%WINDIR%\syswow64\ime\shared\tsomq34 [milf] (dxocjwba).zip.exe
%WINDIR%\temp\nude uncut wifey .zip.exe
%WINDIR%\winsxs\installtemp\jxaglwti nude epyxwn jxqgtp lady .zip.exe
<Current directory>\sqjaed7r1vnw

Network activity

TCP

Other

'34.##9.100.209':443

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial